sad treacherous computing day

Alfred M. Szmidt ams at
Tue May 8 22:17:58 UTC 2007

   >    An attacker who has physical access to your machine can pull
   >    the disk and put his own kernel on it that will perform his
   >    own nefarious tasks. But if you made use of the TC module then
   >    I believe you can prevent him from being able to do this --
   >    the system will simply refuse to load his modified kernel.
   > The attackar can then copy all data, install keyloggers, trojans,
   > backdoors and what not, so you are SOL anyway.

   That's not correct; at least, not with this hardware. If the data
   is protected by TPM (e.g., encrypted with a TPM-controlled key) he
   could copy it but not read it, and if the OS' TPM protection was
   enabled (e.g., only able to run binaries signed with a
   TPM-controlled key) then he wouldn't be able to install that
   software in a way that it actually ran.

The scenario was a signed kernel.  But you show a great example of
another reason why TC is evil: users cannot install local software,
since local software is not signed, it cannot be run.  If a user can
insert a unsigned program that is run, they can insert trojans,
keyloggers and what not.

   The best an attacker would be able to do would be to swap out the
   hardware of yours with something he had control of; but even then,
   the TPM in the new hardware (if it even existed) wouldn't be able
   to access your data since the encryption keys in the hardware would
   be different - you'd basically have to retrieve the keys out of the
   TPM chip via scanning electron microscopes or some such.

   In many ways, a TPM chip isn't that much different to the FSFE
   membership card - you can have encryption keys in the hardware
   which are pretty tough to extract, and if the user has control over
   those, there are a lot of security features you can turn on. The
   fact that it's inbuilt into the hardware makes it tough to tamper

I find the GPG card (or whatever it is called) quite different from
TC, it doesn't prohibit you from running things.  And this is the
sole, and _only_ goal of TC, to control who can run what, via hardware
so that others cannot decide what they will do.

More information about the Discussion mailing list